Battery-powered embedded systems (BESs) have become ubiquitous. Their internals include a battery management system (BMS), a radio interface, and a motor controller. Despite their associated risk, there is little research on BES internal attack surfaces. To fill this gap, we present the first security and privacy assessment of e-scooters internals. We cover Xiaomi M365 (2016) and ES3 (2023) e-scooters and their interactions with Mi Home (their companion app). We extensively RE their internals and uncover four critical design vulnerabilities, including a remote code execution issue with their BMS. Based on our RE findings, we develop E-Trojans, four novel attacks targeting BES internals. The attacks can be conducted remotely or in wireless proximity. They have a widespread real-world impact as they violate the Xiaomi e-scooter ecosystem safety, security, availability, and privacy. For instance, one attack allows the extortion of money from a victim via a BMS undervoltage battery ransomware. A second one enables user tracking by fingerprinting the BES internals. With extra RE efforts, the attacks can be ported to other BES featuring similar vulnerabilities. We implement our attacks and RE findings in E-Trojans, a modular and low-cost toolkit to test BES internals. Our toolkit binary patches BMS firmware by adding malicious capabilities. It also implements our undervoltage battery ransomware in an Android app with a working backend. We successfully test our four attacks on M365 and ES3, empirically confirming their effectiveness and practicality. We propose four practical countermeasures to fix our attacks and improve the Xiaomi e-scooter ecosystem security and privacy.

翻译：电池供电嵌入式系统已无处不在。其内部包含电池管理系统、无线通信接口与电机控制器。尽管存在相关风险，目前针对此类系统内部攻击面的研究却十分有限。为填补这一空白，我们首次对电动滑板车内部系统进行了安全性与隐私性评估。研究涵盖小米M365（2016款）与ES3（2023款）电动滑板车及其与米家伴侣应用的交互。通过深入逆向工程分析，我们发现了四个关键设计漏洞，其中包括电池管理系统的远程代码执行漏洞。基于逆向工程发现，我们开发了E-Trojans——四种针对电池供电嵌入式系统内部的新型攻击方式。这些攻击可通过远程或近距离无线方式实施，由于破坏了小米电动滑板车生态系统的安全性、可用性与隐私性，具有广泛的现实影响。例如，第一种攻击通过电池管理系统低压电池勒索软件向受害者勒索钱财；第二种攻击可通过系统内部指纹识别实现用户追踪。通过额外逆向工程工作，这些攻击可移植至具有类似漏洞的其他电池供电嵌入式系统。我们将攻击方案与逆向工程发现集成于E-Trojans——一个用于测试电池供电嵌入式系统内部的模块化低成本工具包。该工具包通过添加恶意功能对电池管理系统固件进行二进制修补，并在具备完整后端的Android应用中实现了低压电池勒索软件。我们在M365与ES3上成功测试了全部四种攻击，实证验证了其有效性与实用性。最后，我们提出四项实用防护措施以修复攻击漏洞，提升小米电动滑板车生态系统的安全性与隐私保护。